DEV Community

Cover image for Understanding JWT (JSON Web Tokens) for Secure Authentication and Authorization.
adewaleomosanya
adewaleomosanya

Posted on

Understanding JWT (JSON Web Tokens) for Secure Authentication and Authorization.

JSON Web Token(JWT) is a self-contained way to securely transmit data and information between two parties using a JSON object. In this article, we'll dive into the structure of JWTs and how they work.

WHAT IS JWT?
JWT(JSON Web Token) is a compact, URL-safe token that is used to securely transmit information between two parties.JWT can be signed and verified, ensuring that the information is authentic and hasn't been altered.

However, JWT should be used mainly for authorization rather than authentication.In other words,JWT helps manage permissions for users who are already authenticated.Once a user logs in,the server generates a JWT containing information about the user,and the client uses this token in requests.Each time the client sends a request,the server validates the JWT to authorize the user.

JSON Web Token Structure
A JWT has a standard structure that consists of three parts,separated by dots(.).This structure can be broken down as:
aaaaaaa.bbbbbbb.ccccccc

  1. Header(a)
  2. Payload(b)
  3. Signature(C)

Therefore, a Json web token being sent between the client and the server may look like the above illustration but instead of A's , B's and C's those will be unique characters for that specific client.

JWT Header

The header is the first part of a JWT. It contains two key pieces of information:

  • The algorithm used for signing (e.g., HS256, RS256)

  • The type of token (JWT)
    A typical JWT header looks like this:

{
  "alg": "HS256",
  "typ": "JWT"
}

Enter fullscreen mode Exit fullscreen mode

The header is then Base64Url encoded to create the first part of the JWT(a).

JWT PAYLOAD

A JWT Payload consist of a data. The Payloads data contains claims,and there are three different types of claims.
1. Registered
2. Public
3. Private
An example of a JWT payload could be:

{
  "sub": "1234567890",
  "name": "Eric Charles",
  "given_name": "Eric",
  "family_name": "Charrles",
  "email": "Ericcharles@gmail.com",
  "admin": true
}

Enter fullscreen mode Exit fullscreen mode

The payload is also Base64Url encoded to create the second part of the JWT.

JWT Signature

A JWT Signature is created by using the algorithm in the header to hash out the encoded header, encoded payload with a secret.
The secret can be anything, but is saved somewhere on the server that the client does not have access to
The signature is the third and final part of a JWT (c).

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)
Enter fullscreen mode Exit fullscreen mode

This results in the third part of the JWT.

How JWT Works in Practice

Here’s how JWT-based authorization typically works:

  • User Logs In: The user provides their credentials, which are verified by the server.

  • JWT Issued: Upon successful authentication, the server generates a JWT and sends it back to the client. This token contains all the information needed to identify the user and their permissions.

  • Client Stores JWT: The client stores the JWT (usually in local storage or cookies).

  • Client Makes Requests: For future requests, the client sends the JWT in the Authorization header like this:

Authorization: Bearer <JWT_TOKEN>

Enter fullscreen mode Exit fullscreen mode
  • Server Verifies JWT: The server verifies the JWT using the secret key. If the token is valid and hasn't expired, the server processes the request; otherwise, it rejects it.

Top comments (0)